Call for S'pore data protection law to include public sector

Online feedback for Singapore's proposed data protection law closed last week, marking another step closer to the start of the country's data protection regime.Outlining enforcement rules and penalty for organizations, the proposed framework seeks to protect consumers' personal data through regulating the collection, use, disclosure, transfer and security of such data.

The data protection bill, however, excludes the public sector. As ZDNet Asia blogger and Singapore lawyer, Bryan Tan, points out, an "eye-catching point" is that government use of consumer information isn't covered in the proposed law. The government's rationale for this is that public sector rules already offer similar levels of protection for personal data as the proposed data protection bill.

I wonder also if these public sector rules apply to affiliated government agencies and their subsidiaries that may, or may not be strictly involved in national policies and related matters. And that's the question returning Tech Podium guest blogger, Ngiam Shih Tung, asks in his post today.

An engineering manager for an aerospace maintenance, repair and overhaul (MRO) company, Shih Tung is a Singaporean who has been closely following data privacy issues in the country and had urged in his previous blog for the public sector to be included in the data protection law.

While I understand the need for some government entities to be exempted from such legislation, for instance, to facilitate the sharing of essential data such as electronic medical records to provide better healthcare services, this "privilege" of exemption should be applied sparingly and only when it concerns citizens' welfare. And by welfare, I most definitely do not mean information-sharing for marketing purposes, promotional events or customer loyalty programmes that any affiliated government organization may be involved in, and certainly, not some dating service agency that targets university graduates.

Like Shih Tung, I doubt our government would reconsider its stance and include itself in the final data protection law. But I am hoping that with sufficient, and persistent, public feedback, Singapore's lawmakers will eventually realize the need to do so and make the right decision to stand alongside its global counterparts that have already done so.

My company recently decided to send its leadership team for a team-building activity organized by Outward Bound Singapore (OBS), and we were required to fill in OBS' course registration form which contained the usual disclaimers. Buried in the consent clause was this statement: "I also authorize the Outward Bound Singapore to disclose my personal information to its employees/agencies as it is necessary for official purposes in connection with the People's Association (including PAssion Card) Programmes."

Why should I give my personal information to the People's Association (PA) as a condition of taking part in an OBS programme? A bit of background here: OBS is the licensee of Outward Bound International in Singapore and is operated by the PA, which is a government agency that was set up to promote racial harmony and social cohesion. It does this through a network of Community Centres, so-called "grassroots organizations", and even a discount card programme, the PAssion Card, which was referred to in the disclaimer.

In my previous post here, I speculated that the public sector would be excluded from Singapore's proposed data protection (DP) law and unfortunately, I was proved correct when the Ministry of Information, Communication and the Arts (MICA) released its consultation paper on the proposed regime. According to the ministry, the public sector should be excluded from the law because "public sector rules accord similar levels of protections for personal data as the proposed DP law".

Insofar as they apply to the private sector, MICA's data protection proposals do appear to be consistent with international norms such as the OECD Guidelines and APEC Privacy Framework. Among the principles MICA has accepted is the principle of consent, stating that organizations must gain the consent of individuals before processing that person's data. Quoting MICA's consultation paper: "An organization may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is necessary to provide the product or service."

How then is it necessary for OBS to release my personal data to PA and the PAssion Card programme just to enroll me in a one-day team-building activity? There also was no check-off box for me to agree or disagree to the disclosure of my data to third parties--there was just a single omnibus consent clause.

The Singapore government has never revealed its internal rules for handling personal data but suffice to say, either OBS is not following the rules or the government's rules do not in fact provide the same level of protection as the DP Act is intended to provide in the private sector.

In any case, I struck off the part about disclosing data to PA and wrote in an additional "NO DISCLOSURE TO PA" for good measure on the form. We shall see whether I'll start receiving promotional mailings or phonecalls from PA anyway, despite my admonition to OBS not to disclose my data to PA.

In an interview with local English daily The Straits Times, PA's former head Tan Boon Huat admitted that grassroots leaders may be given access to the profiles of PAssion Card members. In the Singapore context, "grassroots leaders" refers to some 30,000 office-holders in grassroots organizations around Singapore.

While grassroots members are officially volunteers, they have close ties to ruling party Members of Parliament and their children receive preferential admission to schools in their district. Tan says that grassroots leaders have to follow the same confidentiality rules as PA staff but the fact is that grassroots leaders are volunteers--there is no contractual relationship between the PA and grassroots members. Hence, whatever rules PA may have are not legally binding on the grassroots leaders. Furthermore, because there is no employer-employee relationship between the PA and grassroots volunteers, PA is not legally responsible for the actions of a grassroots leader. According to the PA's Web site, there are 1,023,258 PAssion Card members today.

Quite apart from this specific case, there is a broader problem with the government's claim that its internal rules provide sufficient protection for personal data. The basic fact is that internal rules are not the same as legislation. They can be changed at any time and even if the government were to break its own rules, affected individuals would have no legal recourse.

Internationally, in a survey of 78 countries in Privacy Laws and Business International Report, all but Malaysia and India either included the public sector in their DP laws or had separate legislation for the public sector. The United States and Thailand do not have comprehensive privacy laws for their private sectors, but have privacy laws covering their public sectors.

Singapore, therefore, seems to be out of step with international trends in excluding its public sector from the country's data protection legislation.

I am not optimistic that the government will change its mind for this first iteration of the DP Act. However, I expect there will be enhancements to Singapore's DP regime in the future, and we can continue to urge the government to extend coverage of DP legislation to the public sector in Singapore in the near future.